ClawHub

cyber-events-log-abstract

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to summarize security events, but it ships with an embedded XDR API credential, disables TLS verification, and saves raw security data locally without clear upfront controls.

Install only after modifying it for your environment: remove and rotate the bundled API key, require a user-provided least-privilege credential and intended XDR endpoint, restore TLS verification, declare network/file/process permissions, and make raw-data persistence opt-in with clear retention and access controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 执行命令
    import subprocess
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    
    if result.returncode != 0:
        raise Exception(f"执行安全报告脚本失败: {result.stderr}")
Confidence
96% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions, yet its documented behavior requires shell execution, network access, and local file read/write operations. This creates a trust and containment gap: a caller or platform may treat the skill as low-risk while it can invoke external scripts, fetch security data, and persist outputs, which increases the chance of unintended data access or exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior goes far beyond summarization: it accesses remote/internal security APIs, stores raw event JSON locally, writes Markdown reports, and reportedly uses a hardcoded API key. Hardcoded credentials combined with undeclared network and storage behavior can expose sensitive security telemetry, enable unauthorized API use, and leave durable local copies of confidential incident data.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The manifest presents the skill as a simple summarizer, but the instructions require running an external script to pull XDR statistics first. This hidden dependency increases risk because users and orchestrators may invoke the skill without realizing it triggers code execution and external/internal data retrieval.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as generating a concise summary, but it also stores full raw security event data under the user's home workspace. Security-event data can include sensitive operational details, attacker/victim IPs, and incident context, so persisting the raw dataset expands exposure beyond the stated function.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A summarization-oriented skill invoking another Python script through a shell introduces an execution capability not obviously required for simple report formatting. That broader capability increases attack surface because the skill now depends on external script behavior and command execution semantics rather than only transforming provided data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is described as a summarization tool, but it directly pulls raw security event data from an external XDR API. This expands the skill's capabilities beyond passive summarization and can expose sensitive telemetry or enable unauthorized data access if the skill is run in an unexpected context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hard-coded API key in source code is a real secret exposure. Anyone with access to the skill file can reuse the credential to query the XDR API, potentially extracting sensitive security-event data or abusing the backend service.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code explicitly disables TLS verification and suppresses related warnings before calling a security API. This allows man-in-the-middle interception or tampering with security telemetry and credentials, especially dangerous because the request includes an API key.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code writes sensitive raw security-event data to disk before any upfront disclosure or consent, only mentioning the saved path after the action. For incident-response data, silent persistence can create confidentiality and compliance issues because users may not expect durable local storage of full raw event payloads.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill silently sends a credentialed request to an external security platform without any user-facing disclosure. In the context of a summarization skill, hidden outbound access to sensitive infrastructure increases the risk of unanticipated data access and weakens informed consent and governance.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal